Export (0) Print
Expand All

Configure Telnet Server to Allow Administrator Access by using Password Authentication

Updated: March 24, 2010

Applies To: Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Vista

You can use this procedure to allow users who are members of the local Administrators group that log on by using password authentication to use their administrative privileges during a Telnet session.

Windows Vista and Windows Server 2008 introduced User Account Control (UAC) to enhance security based on whether you are logged on as a member of the local Administrators group. UAC also affects how you can use your administrative privileges from within a Telnet session.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

By default, users that log on by using NTLM authentication to a remote Telnet server can use their administrative privileges.

When you connect to a Telnet server by using password authentication, the token is filtered based on the following three conditions:

The default password is password.

The following table shows the results of the possible combinations of these factors when using password authentication to connect to a remote Telnet server. A dash in a cell indicates that the setting does not exist.

 

Security account running Telnet service User account type LocalAccountTokenFilterPolicy registry entry value The resulting token is

Local Service

-

-

Filtered

LocalSystem

Domain

-

Full

LocalSystem

Local

0

Filtered

LocalSystem

Local

1

Full

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

  1. Start the Registry Editor. Click Start, type regedit in the Start Search box, and then press ENTER.

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  3. Open the registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System

  4. If the entry LocalAccountTokenFilterPolicy does not yet exist, right-click System, and then click Edit, New, and DWord (32-bit) value. Type the name LocalAccountTokenFilterPolicy, and then set its value to 1.

  5. This entry only has meaning when the Telnet service is running under the context of LocalSystem. To run Telnet as Local Service, see the next procedure To use the Local Service security account to run Telnet .

  1. Stop the Telnet service. See Enable the Telnet Server Service.

  2. In the Services snap-in, on the Telnet Properties dialog box, click the Log On tab.

  3. In Log on as, click This account, and then type Local Service in the text box.

  4. Type the Administrator account password in the Password and Confirm Password text boxes.

  5. Click OK to save your changes.

  6. Open the Registry Editor. Click Start, type regedit in the Start Search box, and then press ENTER.

  7. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  8. In the navigation pane, find the key:

    HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/TlntSvr

  9. In the details pane, double-click RequiredPrivileges.

  10. In the Edit Multi-String dialog box, if SeTcbPrivilege is in the list, remove it.

  11. Click OK to save your changes.

  12. Restart the Telnet Server service. See Enable the Telnet Server Service.

  1. Stop the Telnet Server service. See Enable the Telnet Server Service.

  2. In the Services snap-in, on the Telnet Properties dialog box, click the Log On tab.

  3. In Log on as, click This account, and then type LocalSystem in the text box.

  4. Type the Administrator account password in the Password and Confirm Password text boxes.

  5. Click OK to save your changes.

  6. Open the Registry Editor. Click Start, type regedit in the Start Search box, and then press ENTER.

  7. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  8. In the navigation pane, find the key:

    HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/TlntSvr

  9. In the details pane, double-click RequiredPrivileges.

  10. In the Edit Multi-String dialog box, if it is not already there, add SeTcbPrivilege to the list.

  11. Click OK to save your changes.

  12. Restart the Telnet Server service. See Enable the Telnet Server Service.

For additional information about tokens in Telnet context, refer to the following RFCs available at the Internet Engineering Task Force Web site (http://go.microsoft.com/fwlink/?linkid=121):

  • RFC 2877 5250 Telnet Enhancements

  • RFC 4559 SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows

See Also

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2015 Microsoft